From oub at mat.ucm.es Fri Sep 2 10:33:13 2022 From: oub at mat.ucm.es (Uwe Brauer) Date: Fri, 02 Sep 2022 10:33:13 +0200 Subject: passwords with UFT8 chars? Message-ID: <87a67i9nw6.fsf@mat.ucm.es> Hi Sorry for this elementary question, but I can't find an answer googling. Is it possible to have a password that contains UTF8 chars, like Arabic, Hebrew, Chinese or some IPA symbols??? That concerns also gpgsm Regards Uwe Brauer -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. From guru at unixarea.de Fri Sep 2 10:53:31 2022 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 2 Sep 2022 10:53:31 +0200 Subject: passwords with UFT8 chars? In-Reply-To: <87a67i9nw6.fsf@mat.ucm.es> References: <87a67i9nw6.fsf@mat.ucm.es> Message-ID: El d?a viernes, septiembre 02, 2022 a las 10:33:13a. m. +0200, Uwe Brauer via Gnupg-users escribi?: > > Hi > > Sorry for this elementary question, but I can't find an answer googling. > > Is it possible to have a password that contains UTF8 chars, like Arabic, > Hebrew, Chinese or some IPA symbols??? That concerns also gpgsm You can put whatever you want as password, also Russian in UTF-8. The question is beeing able to key it in on any keyboard. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Peace instead of NATO! ??? ?????? ????! Frieden statt NATO! ?Paz en vez de OTAN! From oub at mat.ucm.es Fri Sep 2 14:42:16 2022 From: oub at mat.ucm.es (Uwe Brauer) Date: Fri, 02 Sep 2022 14:42:16 +0200 Subject: passwords with UFT8 chars? References: <87a67i9nw6.fsf@mat.ucm.es> Message-ID: <871qsu9cd3.fsf@mat.ucm.es> >>> "MA" == Matthias Apitz writes: > El d?a viernes, septiembre 02, 2022 a las 10:33:13a. m. +0200, Uwe Brauer via Gnupg-users escribi?: >> >> Hi >> >> Sorry for this elementary question, but I can't find an answer googling. >> >> Is it possible to have a password that contains UTF8 chars, like Arabic, >> Hebrew, Chinese or some IPA symbols??? That concerns also gpgsm > You can put whatever you want as password, also Russian in UTF-8. The > question is beeing able to key it in on any keyboard. Thanks, most of the distributions today come with a variety of keyboards for different input methods. To be on the very safe side you could save the password UFT8 in a password manager. -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5673 bytes Desc: not available URL: From gnupg at kozminski.com Sat Sep 3 20:15:06 2022 From: gnupg at kozminski.com (Kris Kozminski) Date: Sat, 03 Sep 2022 11:15:06 -0700 Subject: Unverifiable signatures of some downloads Message-ID: <9ec697202594b18f1c573bbd24ae9c71@kozminski.com> I downloaded stuff from https://gnupg.org/download/index.html and signatures from https://gnupg.org/signature_key.asc Checking the signatures produced those two failures: npth-1.6.tar.bz2 gpg: Signature made Mon Jul 16 00:37:23 2018 PDT gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Can't check signature: No public key gpa-0.10.0.tar.bz2 gpg: Signature made Tue Oct 16 14:46:51 2018 PDT gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Can't check signature: No public key Web search seems to indicate that those are old signatures by Werner Koch. Maybe the above downloads should be re-signed with the current signature or perhaps the old one could be added to the public key block? KK From kloecker at kde.org Sat Sep 3 23:08:59 2022 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sat, 03 Sep 2022 23:08:59 +0200 Subject: Unverifiable signatures of some downloads In-Reply-To: <9ec697202594b18f1c573bbd24ae9c71@kozminski.com> References: <9ec697202594b18f1c573bbd24ae9c71@kozminski.com> Message-ID: <12052102.O9o76ZdvQC@breq> On Samstag, 3. September 2022 20:15:06 CEST Kris Kozminski wrote: > I downloaded stuff from https://gnupg.org/download/index.html and > signatures from https://gnupg.org/signature_key.asc You can find a link to older keys at the end of https://gnupg.org/signature_key.html Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Thu Sep 8 00:09:54 2022 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 7 Sep 2022 18:09:54 -0400 Subject: Status of original PGP? Message-ID: On a lark I went looking for the current iteration of PGP. It was bought by Symantec some years ago, and the last I heard they'd renamed it to "Symantec Encryption Desktop". However, Symantec no longer has it available for sale or download, and scouring their site turns up basically nothing. Does anyone know what happened to PGP? Please note: I'm not encouraging anyone to use proprietary, non-free software. My interest in this is purely historical. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From skquinn at rushpost.com Thu Sep 8 00:12:16 2022 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Wed, 7 Sep 2022 17:12:16 -0500 Subject: Status of original PGP? In-Reply-To: References: Message-ID: <1bcda17d-2d03-20c8-65bf-462ea8ec7bda@rushpost.com> On 9/7/22 17:09, Robert J. Hansen via Gnupg-users wrote: > On a lark I went looking for the current iteration of PGP.? It was > bought by Symantec some years ago, and the last I heard they'd renamed > it to "Symantec Encryption Desktop".? However, Symantec no longer has it > available for sale or download, and scouring their site turns up > basically nothing. > > Does anyone know what happened to PGP? > > Please note: I'm not encouraging anyone to use proprietary, non-free > software.? My interest in this is purely historical. I'm pretty sure it was discontinued, but I don't have a source for that. -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com From dgouttegattat at incenp.org Thu Sep 8 01:27:41 2022 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Thu, 08 Sep 2022 00:27:41 +0100 Subject: Status of original PGP? In-Reply-To: References: Message-ID: <2740699.DJkKcVGEfx@borealin.local.incenp.org> On Wednesday, 7 September 2022 23:09:54 BST Robert J. Hansen via Gnupg-users wrote: > Does anyone know what happened to PGP? It is *supposedly* still available from Broadcom, under the name ?Symantec Desktop Email Protection? [1]. How you can *actually* get it is another question. My understanding is that you first need to buy a licence from one of Broadcom?s partners, then get your licence number [2], and then finally download the software [3]. > My interest in this is purely historical. I had a somewhat similar interest a while ago. I was trying to find some technical details about the current version of PGP ? e.g., which algorithms does it support? Did they implement ECC keys? If so, which curves? etc. I was never able to find this kind of information? - Damien [1] https://www.broadcom.com/products/advanced-threat-protection/encryption [2] https://knowledge.broadcom.com/external/article/206503 [3] https://knowledge.broadcom.com/external/article/193931 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From vedaal at nym.hush.com Thu Sep 8 03:25:14 2022 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 07 Sep 2022 21:25:14 -0400 Subject: Status of original PGP? In-Reply-To: Message-ID: <20220908012514.37875805EA2@smtp.hushmail.com> On 9/7/2022 at 6:14 PM, "Robert J. Hansen via Gnupg-users" wrote:On a lark I went looking for the current iteration of PGP. It was bought by Symantec some years ago, and the last I heard they'd renamed it to "Symantec Encryption Desktop". However, Symantec no longer has it available for sale or download, and scouring their site turns up basically nothing. Does anyone know what happened to PGP? ===== There is still a source for PGP freeware for PGP 8.0 and earlier:http://www.pgpi.didisoft.com/products/pgp/versions/freeware/ (I followed the successive links and then got an error page, but if this is still considered freeware for non-commercial use, then it is archived somewhere... https://zedz.net/ ) Vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernhard at intevation.de Mon Sep 12 11:43:21 2022 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 12 Sep 2022 11:43:21 +0200 Subject: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG In-Reply-To: References: <71ff44eb-6527-c791-6274-2d69772905cb@gmail.com> <871qszfatc.fsf@wheatstone.g10code.de> Message-ID: <202209121143.29263.bernhard@intevation.de> Am Dienstag 30 August 2022 18:41:19 schrieb Tony Lee via Gnupg-users: > By "full entropy" I assume you mean an assessed entropy of 80--120 > bits. Although in principle I agree, in practice it is very difficult > to produce such randomness Generating passphrases from a large dictionary makes this feasable E.g. https://wald.intevation.org/scm/browser.php?group_id=71&scm_plugin=scmhg is a small tool I wrote a few years ago to understand this better, calling it with the English dictionary from `trans`, I get ./ppgen.py -2 Reading entries from /usr/share/trans/de-en.................... Found 129207 dictionary entries. |= Number of words |= possibilities | | 4 | 2^67.9 | | 5 | 2^84.9 | | 6 | 2^101.9 | So with 5 or six words, you easily have a passphrase in the desired range. (There are other generators a well.) In my experience, it is possible to memorize such passwords, by construction a story around it. Of course it is some effort, but then again 3 or 4 words maybe enough for your use-case and see next point: > I agree public-key encryption is > much better for communication, but I have difficulty persuading others > to install gpg properly! Given the overall advantages, what are the difficulties to convince your peers to install GnuPG? (Or any other OpenPGP implementation.) > My own perception is that a similar > oversight on gpg would provide much-needed reassurance to someone like > myself who is in no position to evaluate such information from the > open-source code More documentation naturally is helpful, but it is a lot of effort to write and it must be kept in sync. Who tells you that the overview documention still represents the technical implementation well? A lot of things are changing by the months, not just the implementation, but also the understanding of security properties (like attack capabilities). But those have to be re-considered if the necessary summary judgement of the overview shall be useful I think. So I think this overview documentation you are asking for, would be less useful than expected. > what steps are > taken to secure these critical items against malevolent software, or > unwanted storage on disk which may be vulnerable to subsequent attack? The first and most important step is to secure your operating system, environment and storage according to your security needs. The challenge here is that this is beyond GnuPG (or any other single application) to control. Nor is it useful to try in many cases. Take virtualisation as example, there is no way for GnuPG to know if it is runsin a virtual computing environment where the memory can be frozen into storage at any time. Same with safe deleting of files. Putting the effort into following general secure computing practive will help your GnuPG security more, usually. Regards, Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From accounts-gnupg at holbrook.no Tue Sep 20 18:56:38 2022 From: accounts-gnupg at holbrook.no (accounts-gnupg at holbrook.no) Date: Tue, 20 Sep 2022 16:56:38 +0000 Subject: mutt locking Message-ID: Hey, Not sure whether here or mutt list is the right place for this, but here goes: --- When encoutering a multipart/encrypted - application/pgp-encrypted file, mutt asks le for a passphrase, but it does not register the input. I am using /usr/bin/pinentry-tty for password input, which in the interactive mode lets me paste a password from the terminal. With mutt, neither paste nor entry makes a different, it's just frozen until the pinentry timeout expires. My config: * mutt 2.2.7 * pass 1.7.4 * gnupg 2.2.39 () * libgcrypt 1.10.1 From 400thecat at gmx.ch Wed Sep 21 07:06:18 2022 From: 400thecat at gmx.ch (Fourhundred Thecat) Date: Wed, 21 Sep 2022 07:06:18 +0200 Subject: gpg --list-packets asks for passphrase Message-ID: Hello, when I do: "gpg --list-packets file.gpg" on public key encrypted file, I am asked for passphrase. I am asking gpg to display info about encrypted message, not to decrypt it. Why am I prompted for passphrase? thank you, From wk at gnupg.org Fri Sep 23 08:00:55 2022 From: wk at gnupg.org (Werner Koch) Date: Fri, 23 Sep 2022 08:00:55 +0200 Subject: mutt locking In-Reply-To: (Louis Holbrook via Gnupg-users's message of "Tue, 20 Sep 2022 16:56:38 +0000") References: Message-ID: <87h70yhboo.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2022 16:56, Louis Holbrook said: > I am using /usr/bin/pinentry-tty for password input, which in the > interactive mode lets me paste a password from the terminal. Please use pinentry-curses or, if you run in an xterm, better one of the GUI pinentries. The pinentry-tty is a very dumb one which is unlikely to work correctly with another curses or slang application like Mutt. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Fri Sep 23 08:02:53 2022 From: wk at gnupg.org (Werner Koch) Date: Fri, 23 Sep 2022 08:02:53 +0200 Subject: gpg --list-packets asks for passphrase In-Reply-To: (Fourhundred Thecat via Gnupg-users's message of "Wed, 21 Sep 2022 07:06:18 +0200") References: Message-ID: <87czbmhble.fsf@wheatstone.g10code.de> On Wed, 21 Sep 2022 07:06, Fourhundred Thecat said: > Why am I prompted for passphrase? So that --list-packets can show you the encrypted content with all the inetresting packets. Hit cancel and you are done. Please note that the output of --list-packets is strictly for debugging purposes and may change without notice. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From accounts-gnupg at holbrook.no Fri Sep 23 18:19:42 2022 From: accounts-gnupg at holbrook.no (accounts-gnupg at holbrook.no) Date: Fri, 23 Sep 2022 16:19:42 +0000 Subject: mutt locking In-Reply-To: <87h70yhboo.fsf@wheatstone.g10code.de> References: <87h70yhboo.fsf@wheatstone.g10code.de> Message-ID: Well, pinentry-tty is what I prefer for using gpg for all other operations. Since I'm using the gpg-agent, there doesn't seem to be a way to specify using an alternative just for mutt. The only way I know to make that work with gpg cli is to have --pinentry-mode set to loopback, and pinentry-program in gpg-agent.conf set to ...pinentry-tty To be clear: - I would like to use pinentry-tty during my normal gpg cli operations. - I am fine with using pinentry-curses in the mutt context Is there a way to do this? tudo de bom, l On Fri, Sep 23, 2022 at 08:00:55AM +0200, Werner Koch wrote: > On Tue, 20 Sep 2022 16:56, Louis Holbrook said: > > > I am using /usr/bin/pinentry-tty for password input, which in the > > interactive mode lets me paste a password from the terminal. > > Please use pinentry-curses or, if you run in an xterm, better one of the > GUI pinentries. The pinentry-tty is a very dumb one which is unlikely to > work correctly with another curses or slang application like Mutt. > > > Shalom-Salam, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein From atsilimigkras1 at tuc.gr Fri Sep 23 13:01:18 2022 From: atsilimigkras1 at tuc.gr (Tsilimigkras Athanasios) Date: Fri, 23 Sep 2022 11:01:18 +0000 Subject: gpg-agent not working properly Message-ID: Hi, I am trying to use a model called JULES which makes use of GPG Agent to cache Subversion passwords. My colleague Toby at UKCEH uses this system and it works fine using GPGvn2.0.22, but apparently, this version of GPG reached its end of life in 2017 according to https://www.gnupg.org/download/ and is no longer supported (the current version is 2.3.7). I have installed v2.2.4 of GPG but I find that I cannot cache my password through Subversion (see screenshot). Looking online, there seems to be a problem with versions after v2.1.11 (according to https://askubuntu.com/questions/819184/gpg-agent-not-working-since-16-04-upgrade ) because (as far as I understand it) GPG no longer sets the environment variable $GPG_AGENT_INFO and therefore this system of caching passwords no longer works. MY QUESTION: is there any way of changing the settings on GPGv2.2.4 to allow this environment variable to be set and therefore allow passwords to be cached as in earlier versions? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot 2022-09-21 at 2.50.19 PM.png Type: image/png Size: 125147 bytes Desc: Screenshot 2022-09-21 at 2.50.19 PM.png URL: From dgouttegattat at incenp.org Sun Sep 25 00:14:55 2022 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sat, 24 Sep 2022 23:14:55 +0100 Subject: gpg-agent not working properly In-Reply-To: References: Message-ID: <4722971.OV4Wx5bFTl@borealin.local.incenp.org> Hi On Friday, 23 September 2022 12:01:18 BST Tsilimigkras Athanasios wrote: > MY QUESTION: is there any way of changing the settings on GPGv2.2.4 to allow > this environment variable to be set and therefore allow passwords to be > cached as in earlier versions? No. But if you are using other programs that depend on that variable being present (such as SVN), you can easily set that variable yourself: export GPG_AGENT_INFO=$(gpgconf --list-dirs agent-socket):: Which version of SVN are you using, though? Because recent versions seem to have been updated to look for GnuPG Agent?s socket at the correct places in the absence of the GPG_AGENT_INFO variable. - Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From mikydevel at yahoo.fr Sun Sep 25 01:19:32 2022 From: mikydevel at yahoo.fr (Mik J) Date: Sat, 24 Sep 2022 23:19:32 +0000 (UTC) Subject: Gnupg on openbsd with enigma rouncube plugin References: <1723098526.363984.1664061572384.ref@mail.yahoo.com> Message-ID: <1723098526.363984.1664061572384@mail.yahoo.com> Hello, My goal is to use the enigma plugin that is part of roundcube webmail. I get this error output[18-Sep-2022 00:41:46 +0200]: GPG: /bin/gpg2 --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning --exit-on-status-write-error --trust-model always --pinentry-mode loopback --ignore-time-conflict --ignore-valid-from --with-colons --with-fingerprint --with-fingerprint --fixed-list-mode --homedir '/enigma/myemail at mydomain.org' --utf8-strings --list-secret-keys -- 'myemail at mydomain.org' [18-Sep-2022 00:41:46 +0200]: GPG: BEGIN PROCESSING [18-Sep-2022 00:41:46 +0200]: GPG: selecting streams [18-Sep-2022 00:41:46 +0200]: GPG: => got 1 [18-Sep-2022 00:41:46 +0200]: GPG: GPG error stream ready for reading [18-Sep-2022 00:41:46 +0200]: GPG: => about to read 65536 bytes from GPG error [18-Sep-2022 00:41:46 +0200]: GPG: => read 61 bytes [18-Sep-2022 00:41:46 +0200]: GPG: selecting streams [18-Sep-2022 00:41:46 +0200]: GPG: => got 1 [18-Sep-2022 00:41:46 +0200]: GPG: GPG error stream ready for reading [18-Sep-2022 00:41:46 +0200]: GPG: => about to read 65536 bytes from GPG error [18-Sep-2022 00:41:46 +0200]: GPG: => read 1 bytes [18-Sep-2022 00:41:46 +0200]: GPG: ERROR: gpg: Fatal: failed to open '/dev/null': Device not configured [18-Sep-2022 00:41:46 +0200]: GPG: selecting streams Soa) When I launch this commandgpg2 --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning --exit-on-status-write-error --trust-model always --pinentry-mode loopback --ignore-time-conflict --ignore-valid-from --with-colons --with-fingerprint --with-fingerprint --fixed-list-mode --homedir '/enigma/myemail at mydomain.org' --utf8-strings --list-secret-keys -- 'myemail at mydomain.org'I have this error gpg: Fatal: status-fd is invalid: Bad file descriptor If ! remove --status-fd I have this errorgpg: command-fd is invalid: Bad file descriptor b) I found this post on the openbsd mailling listhttps://misc.openbsd.narkive.com/BLr2vq7b/roundcube-and-enigma-pgp Where they say"it would be better if the code were changed to use the arc4random() family of functions, which avoid the need for this" (this = /dev/urandom I guess) In point a) why do i have these errors related to status-fd and command-fdIn point b) gnupg cannot use arc4random() to get its entropy ? Is there any plans to implement that ? Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikydevel at yahoo.fr Sun Sep 25 14:02:28 2022 From: mikydevel at yahoo.fr (Mik J) Date: Sun, 25 Sep 2022 12:02:28 +0000 (UTC) Subject: Gnupg on openbsd with enigma rouncube plugin In-Reply-To: References: <1723098526.363984.1664061572384.ref@mail.yahoo.com> <1723098526.363984.1664061572384@mail.yahoo.com> Message-ID: <418018404.499031.1664107348985@mail.yahoo.com> Hello Bruce, Yes I read all of that. But for point a) I started the command gpg2 --status-fd '3' --command-fd '4'? ... out of the chrootFor point b) they recommand not to use urandom, that's why I asked the question about arc4random() Regards Le dimanche 25 septembre 2022 ? 13:33:05 UTC+2, Bruce Walzer a ?crit : On Sat, Sep 24, 2022 at 11:19:32PM +0000, Mik J via Gnupg-users wrote: > Hello, > My goal is to use the enigma plugin that is part of roundcube webmail. > I get this error output[18-Sep-2022 00:41:46 +0200]: [...] > [18-Sep-2022 00:41:46 +0200]: GPG: ERROR: gpg: Fatal: failed to open '/dev/null': Device not configured OpenBSD isolates the web server in a chroot at /var/www . So you will have to create /var/www/dev and put some devices there. [...] > b) I found this post on the openbsd mailling listhttps://misc.openbsd.narkive.com/BLr2vq7b/roundcube-and-enigma-pgp > Where they say"it would be better if the code were changed to use the arc4random() family of functions, which avoid the need for this" (this = /dev/urandom I guess) They also say you can create the /var/www/dev/urandom device and make sure that the partition that /var is in is not mounted with the "nodev" option. Bruce -------------- next part -------------- An HTML attachment was scrubbed... URL: From bwalzer at 59.ca Sun Sep 25 13:33:00 2022 From: bwalzer at 59.ca (Bruce Walzer) Date: Sun, 25 Sep 2022 06:33:00 -0500 Subject: Gnupg on openbsd with enigma rouncube plugin In-Reply-To: <1723098526.363984.1664061572384@mail.yahoo.com> References: <1723098526.363984.1664061572384.ref@mail.yahoo.com> <1723098526.363984.1664061572384@mail.yahoo.com> Message-ID: On Sat, Sep 24, 2022 at 11:19:32PM +0000, Mik J via Gnupg-users wrote: > Hello, > My goal is to use the enigma plugin that is part of roundcube webmail. > I get this error output[18-Sep-2022 00:41:46 +0200]: [...] > [18-Sep-2022 00:41:46 +0200]: GPG: ERROR: gpg: Fatal: failed to open '/dev/null': Device not configured OpenBSD isolates the web server in a chroot at /var/www . So you will have to create /var/www/dev and put some devices there. [...] > b) I found this post on the openbsd mailling listhttps://misc.openbsd.narkive.com/BLr2vq7b/roundcube-and-enigma-pgp > Where they say"it would be better if the code were changed to use the arc4random() family of functions, which avoid the need for this" (this = /dev/urandom I guess) They also say you can create the /var/www/dev/urandom device and make sure that the partition that /var is in is not mounted with the "nodev" option. Bruce From angel at pgp.16bits.net Mon Sep 26 00:30:21 2022 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Mon, 26 Sep 2022 00:30:21 +0200 Subject: Gnupg on openbsd with enigma rouncube plugin In-Reply-To: <418018404.499031.1664107348985@mail.yahoo.com> References: <1723098526.363984.1664061572384.ref@mail.yahoo.com> <1723098526.363984.1664061572384@mail.yahoo.com> <418018404.499031.1664107348985@mail.yahoo.com> Message-ID: On 2022-09-25 at 12:02 +0000, Mik J wrote: > Hello Bruce, > > Yes I read all of that. > > But for point a) I started the command gpg2 --status-fd '3' -- > command-fd '4' ... out of the chroot --status-fd and --command-fd are arguments used to direct gpg to use different file descriptors (3 and 4, here) to handle status and commands. Since you are not opening such file descriptors when running it standalone, gpg complains. It's normal. If you want to run it manually, you should remove both --status-fd 3 and --command-fd 4 > For point b) they recommand not to use urandom, that's why I asked > the question about arc4random() > > Regards You would need to recompile gpg with that change / convince the OpenBSD maintainer of gpg to patch it to use arc4random() instead. My recommendation: create the /dev nodes inside the chroot Regards From mikydevel at yahoo.fr Mon Sep 26 00:36:17 2022 From: mikydevel at yahoo.fr (Mik J) Date: Sun, 25 Sep 2022 22:36:17 +0000 (UTC) Subject: Gnupg on openbsd with enigma rouncube plugin In-Reply-To: References: <1723098526.363984.1664061572384.ref@mail.yahoo.com> <1723098526.363984.1664061572384@mail.yahoo.com> <418018404.499031.1664107348985@mail.yahoo.com> Message-ID: <1827218435.762691.1664145377241@mail.yahoo.com> Thank you Angel for these explanations. Le lundi 26 septembre 2022 ? 00:34:12 UTC+2, ?ngel a ?crit : On 2022-09-25 at 12:02 +0000, Mik J wrote: > Hello Bruce, > > Yes I read all of that. > > But for point a) I started the command gpg2 --status-fd '3' -- > command-fd '4'? ... out of the chroot --status-fd and --command-fd are arguments used to direct gpg to use different file descriptors (3 and 4, here) to handle status and commands. Since you are not opening such file descriptors when running it standalone, gpg complains. It's normal. If you want to run it manually, you should remove both --status-fd 3 and --command-fd 4 > For point b) they recommand not to use urandom, that's why I asked > the question about arc4random() > > Regards You would need to recompile gpg with that change / convince the OpenBSD maintainer of gpg to patch it to use arc4random() instead. My recommendation: create the /dev nodes inside the chroot Regards _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From angel at pgp.16bits.net Mon Sep 26 00:45:20 2022 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Mon, 26 Sep 2022 00:45:20 +0200 Subject: Status of original PGP? In-Reply-To: <2740699.DJkKcVGEfx@borealin.local.incenp.org> References: <2740699.DJkKcVGEfx@borealin.local.incenp.org> Message-ID: <17f8ed668f042eb9c90d0fc50465ae5e297848db.camel@16bits.net> On 2022-09-08 at 00:27 +0100, Damien Goutte-Gattat wrote: > > My interest in this is purely historical. > > I had a somewhat similar interest a while ago. I was trying to find > some technical details about the current version of PGP ? e.g., which > algorithms does it support? Did they implement ECC keys? If so, which > curves? etc. > > I was never able to find this kind of information? > > - Damien They support P-256, P-384 and P-521 elliptic curves, but not Curve 25519 https://knowledge.broadcom.com/external/article/175932/encryption-desktop-cannot-import-ecc-pgp.html Regards From wk at gnupg.org Mon Sep 26 15:50:33 2022 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 Sep 2022 15:50:33 +0200 Subject: Gnupg on openbsd with enigma rouncube plugin In-Reply-To: (=?utf-8?Q?=22=C3=81ngel=22's?= message of "Mon, 26 Sep 2022 00:30:21 +0200") References: <1723098526.363984.1664061572384.ref@mail.yahoo.com> <1723098526.363984.1664061572384@mail.yahoo.com> <418018404.499031.1664107348985@mail.yahoo.com> Message-ID: <87leq6dz2u.fsf@wheatstone.g10code.de> On Mon, 26 Sep 2022 00:30, ?ngel said: > You would need to recompile gpg with that change / convince the OpenBSD Please don't do that. Actually you would have to recompile Libgcrypt. But don't do that (recompile with changes to the random code). > My recommendation: create the /dev nodes inside the chroot Yes. You may also want to run gpg-agent via the agent-extra-socket (see gpgconf -L) thing for extra security; its not an out of the box feature, though. gpg-agent takes care of the private keys and having it isolated from the web server is a Good Thing. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: